mcwaddams

MCP/mcwaddams

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ryan Malloy	c9de63cf29	Security hardening + CalVer 2026.05.22 for first PyPI publish Some checks failed Test Dashboard / test-and-dashboard (push) Has been cancelled Details Margaret Hamilton pre-publish review found 5 blockers + 9 flags. All correctness/security issues fixed; H6 (connection pooling perf) deferred. caching.py — comprehensive hardening: - B3: base64.b64decode now uses validate=True (no silent mangling) - B4: MCP_ALLOW_LOCAL_FILES evaluated per request, not at import - B5: extension allowlist + 0o700 temp dir + 0o600 files + O_EXCL writes - B2+H5: MCP_MAX_UPLOAD_BYTES / MCP_MAX_DOWNLOAD_BYTES caps (50MB default), enforced pre-decode and during chunked downloads - H1: env var parsing strip()+lower(), truthy set {true,1,yes,on} - H3: UUID-based unique temp paths replace SHA-prefix collision risk - H7: ZIP magic bytes disambiguated via [Content_Types].xml peek - H8: stronger CSV heuristic (commas/tabs + UTF-8 + no NULs) - H9: specific exceptions in cache I/O with logged warnings - New: upload_cleanup_scope() context manager + ContextVar tracker decorators.py: - cleanup_temp_uploads decorator wraps tool methods, auto-cleans temp upload files on return OR exception (B1+H4) validation.py: - OfficeFileError.__init__ scrubs /tmp/mcp_office_uploads/ paths from messages so server paths never leak to HTTP callers (H2) mixins/{universal,word,excel}.py: - @cleanup_temp_uploads applied to all 19 tool methods that resolve files tests/test_security_hardening.py: - 24 new tests, one per Hamilton finding, prove fixes work and catch regressions. Including end-to-end: temp file created → exists during scope → gone after scope exit (success AND exception paths) pyproject.toml: - version 0.1.0 → 2026.05.22 (CalVer per CLAUDE.md convention) - URLs updated GitHub → git.supported.systems/MCP/mcwaddams - Belt-and-suspenders sdist exclude list (defends against future include-list edits accidentally shipping CLAUDE.md, .env, etc.)	2026-05-22 14:49:00 -06:00

Author

SHA1

Message

Date

Ryan Malloy

c9de63cf29

Security hardening + CalVer 2026.05.22 for first PyPI publish

Test Dashboard / test-and-dashboard (push) Has been cancelled

Details

Margaret Hamilton pre-publish review found 5 blockers + 9 flags. All
correctness/security issues fixed; H6 (connection pooling perf) deferred.

caching.py — comprehensive hardening:
- B3: base64.b64decode now uses validate=True (no silent mangling)
- B4: MCP_ALLOW_LOCAL_FILES evaluated per request, not at import
- B5: extension allowlist + 0o700 temp dir + 0o600 files + O_EXCL writes
- B2+H5: MCP_MAX_UPLOAD_BYTES / MCP_MAX_DOWNLOAD_BYTES caps (50MB default),
  enforced pre-decode and during chunked downloads
- H1: env var parsing strip()+lower(), truthy set {true,1,yes,on}
- H3: UUID-based unique temp paths replace SHA-prefix collision risk
- H7: ZIP magic bytes disambiguated via [Content_Types].xml peek
- H8: stronger CSV heuristic (commas/tabs + UTF-8 + no NULs)
- H9: specific exceptions in cache I/O with logged warnings
- New: upload_cleanup_scope() context manager + ContextVar tracker

decorators.py:
- cleanup_temp_uploads decorator wraps tool methods, auto-cleans temp
  upload files on return OR exception (B1+H4)

validation.py:
- OfficeFileError.__init__ scrubs /tmp/mcp_office_uploads/ paths from
  messages so server paths never leak to HTTP callers (H2)

mixins/{universal,word,excel}.py:
- @cleanup_temp_uploads applied to all 19 tool methods that resolve files

tests/test_security_hardening.py:
- 24 new tests, one per Hamilton finding, prove fixes work and catch
  regressions. Including end-to-end: temp file created → exists during
  scope → gone after scope exit (success AND exception paths)

pyproject.toml:
- version 0.1.0 → 2026.05.22 (CalVer per CLAUDE.md convention)
- URLs updated GitHub → git.supported.systems/MCP/mcwaddams
- Belt-and-suspenders sdist exclude list (defends against future
  include-list edits accidentally shipping CLAUDE.md, .env, etc.)

2026-05-22 14:49:00 -06:00

1 Commits